Sponsored by..

Monday 16 November 2015

Malware spam: "DoT Payment Receipt" / "donotreply@transport.gov.uk"

This fake financial spam has a malicious attachment:

From: donotreply@transport.gov.uk [mailto:donotreply@transport.gov.uk]
Sent: Monday, November 16, 2015 12:10 PM
To: redacted
Subject: DoT Payment Receipt

[Automated message. Do not reply]

Thank you for your payment.  It is important that you print this receipt and record the receipt number as proof of your payment. You may be asked to provide your receipt details should you have an enquiry regarding this payment.

DISCLAIMER

This email and any attachments are confidential and may contain legally privileged and/or copyright material.  You should not read, copy, use or disclose any of the information contained in this email without authorisation.  If you have received it in error please contact us at once by return email and then delete both emails.  There is no warranty that this email is error or virus free.

I haven't seen this myself, but some contacts (thank you!) have. Attached is a file PaymentReceipt.xls which comes in several different versions, the sample I saw contained this malicious macro and had a VirusTotal detection rate of 5/54. According to my sources, the different versions download a malicious binary from one of the following:

gospi.eu/~gospi/45yfqfwg/6ugesgsg.exe
piotrektest.cba.pl/45yfqfwg/6ugesgsg.exe
wmdrewniana8.cba.pl/45yfqfwg/6ugesgsg.exe
www.kolumbus.fi/~kf0963/45yfqfwg/6ugesgsg.exe


This binary has a detection rate of 3/53 and that VirusTotal report and this Malwr report indicates malicious traffic to:

182.93.220.146 (Ministry Of Education, Thailand)
78.47.66.169 (Hetzner, Germany)
89.108.71.148 (Agava, Ltd)
221.132.35.56 (Post And Telecom Company, Vietnam)


The payload is the Dridex banking trojan.

MD5s:

e25a05d3fecceb14667048c07494d65f 
32f3495cb945448a9868c5fe653b8d7e
a5dd075bd48d16a3ad13c06651b0af10
ef3805be4797271a2a9c8552f77866c1
f2b78be5e8b52976f69b076338757146

Recommended blocklist:
cba.pl
182.93.220.146
78.47.66.169
89.108.71.148
221.132.35.56

1 comment:

Eduardo Bruno da Costa Krukoski said...

Another Gen:Variant.Strictor.97353

https://www.sugarsync.com/pf/D3157977_837_126425935

... Download a zip file with:

Planilha-0029304.exe


They don't have email to abuse report!